On Mon, Apr 23, 2007 at 06:20:56PM +0200, xiando wrote: [...] > Their nameservers are: > > nameserver 208.67.222.222 > nameserver 208.67.220.220 > > At first blush their service may seem plausible. However, try them and visit > something like www.akljfdlkajdfasfd.com, which takes you to: > http://guide.opendns.com/?url=www.akljfdlkajdfasfd.com > > I'm sorry, but if I try a non-existing domain then I prefer to be informed > that the domain can not be found. OpenDNS will tell you "Sure, there's a > website called whateveryoutrytoresolve.com, here's the IP, and you should go > visit that site and view all these advertisements we've put up > there". Ha. Actually, this is old news: If an exit node is running the Tor 0.1.2.x series, it can detect DNS hijacking of this kind, and translate the IP addresses for the advertisement pages back into "no such domain" responses. From the ChangeLog for 0.1.2.2-alpha: - Workaround for name servers (like Earthlink's) that hijack failing DNS requests and replace the no-such-server answer with a "helpful" redirect to an advertising-driven search portal. Also work around DNS hijackers who "helpfully" decline to hijack known-invalid RFC2606 addresses. Config option "ServerDNSDetectHijacking 0" lets you turn it off. From the svn logs: Instead of just checking known-invalid addresses for DNS hijacking, we now check randomly generated addresses, and if too many of them map to the same IP, we assume that IP is the destination of a DNS hijack attempt. A little bird tells me that some DNS hijackers think that declining to give an A record for RFC2606 addresses (like .invalid and .example) makes them more standards compliant. Standardswise, this is like an illicit brothel making sure that nobody has pulled the tags off the mattresss, but that doesn't get us out of working around it. The anonymity issues of having a large number of exit nodes send all their DNS requests to the same 3rd party are somewhat troubling, but no more so than having the same number of exit nodes using the same ISP or backbone. Of course, this is neither an endorsement of OpenDNS nor an endorsement of their stupid and annoying DNS NEXIST hijacking. yrs, -- Nick Mathewson
Attachment:
pgpmWmMo9ZrzY.pgp
Description: PGP signature